b'Department of Health and Human Services\n                   OFFICE OF\n              INSPECTOR GENERAL\n\n\n     WEAKNESSES IN IDAHO\xe2\x80\x99S\n INFORMATION SYSTEM GENERAL\n  CONTROLS OVER ITS MEDICAID\n   CLAIMS PROCESSING SYSTEM\n   INCREASE VULNERABILITIES\n\n\n\n\n  Inquiries about this report may be addressed to the Office of Public Affairs at\n                           Public.Affairs@oig.hhs.gov.\n\n\n\n\n                                                  Thomas M. Salmon\n                                               Assistant Inspector General\n\n                                                       March 2014\n                                                      A-09-12-03009\n\x0c                        Office of Inspector General\n                                         https://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at https://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0c                                      EXECUTIVE SUMMARY\n\n Idaho did not implement adequate information system general controls over its Medicaid\n claims processing system. We identified 19 reportable weaknesses in access controls,\n configuration management, and security management.\n\nWHY WE DID THIS REVIEW\n\nThe U.S. Department of Health and Human Services (HHS) oversees States\xe2\x80\x99 use of various\nFederal programs, including Medicaid. State agencies are required to establish appropriate\nautomatic data processing (ADP) security requirements and conduct biennial reviews of ADP\nsystem security used in the administration of State plans for Medicaid and other Federal\nentitlement benefits. This review is one of a number of HHS Office of Inspector General\nreviews of States\xe2\x80\x99 ADP systems used to administer HHS-funded programs.\n\nOur objective was to determine whether the Idaho Department of Health and Welfare (State\nagency) implemented adequate information system general controls over its Medicaid claims\nprocessing system.\n\nBACKGROUND\n\nThe State agency administers the Medicaid program. During fiscal year 2012, the State agency\nprovided Medicaid services to over 225,000 Medicaid beneficiaries, totaling more than\n$1.6 billion in expenditures.\n\nThis review covered the State agency\xe2\x80\x99s information system general controls over its Medicaid\nclaims processing system. As part of its overall administration of the Medicaid claims\nprocessing system, the State agency contracted with Molina Medicaid Solutions (Molina) to\noperate the Medicaid Management Information System (MMIS). The MMIS processes\nMedicaid claims and manages sensitive claims data, such as beneficiary names and Social\nSecurity numbers. The State agency uses the State\xe2\x80\x99s computer and telecommunications facility\nto access the MMIS; therefore, this review focused on the security of the State agency\xe2\x80\x99s network.\nWe will review Molina\xe2\x80\x99s information system general controls over the MMIS in a separate audit.\n\nTo accomplish our objective, we reviewed policies and procedures, interviewed staff, and\nreviewed supporting documentation. Also, we used an audit software-scanning program to\ndetermine whether selected network devices had security-related vulnerabilities.\n\nWHAT WE FOUND\n\nThe State agency did not implement adequate information system general controls over its\nMedicaid claims processing system. Specifically, we identified 19 reportable weaknesses, which\nwe consolidated into 5 findings and grouped into the following categories: access controls,\nconfiguration management, and security management.\n\n\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)   i\n\x0c    \xe2\x80\xa2   Access controls. The State agency had inadequate logical access security controls,\n        including inadequate password settings for securing its network and inadequate\n        encryption of network passwords. In addition, the State agency had inadequate physical\n        access security controls to restrict access to its computer and telecommunications facility\n        to only individuals who need access to the facility to perform their job duties.\n\n    \xe2\x80\xa2   Configuration management. The State agency had inadequate settings for network\n        devices, such as allowing the use of insecure network protocols (the language of rules\n        and conventions for communication between network devices) and the use of network\n        services (functions that help networks to operate more efficiently) that were not necessary\n        for the State agency\xe2\x80\x99s network.\n\n    \xe2\x80\xa2   Security management. The State agency had inadequate security control policies and\n        procedures, including inadequate policies to verify sanitization of data and disposal of\n        devices and no policies and procedures to periodically review and account for inventory\n        of portable devices. In addition, the State agency had inadequate personnel policies and\n        procedures related to security awareness training, training for employees with significant\n        responsibilities for information security, completion of exit documents for transferred and\n        terminated employees, and background checks of employees.\n\nWe ranked each of the findings as high impact.\n\nAlthough we did not find evidence that the weaknesses had been exploited, exploitation could\nresult in unauthorized access to and disclosure of sensitive information, as well as disruption of\ncritical operations to the Medicaid program. As a result, we believe that the weaknesses are\ncollectively and, in some cases, individually significant and could potentially compromise the\nintegrity of the Medicaid program. In addition, without proper safeguards, systems are\nunprotected from individuals and groups with malicious intent to obtain access to commit fraud,\nwaste, or abuse or launch attacks against other computer systems and networks.\n\nWHAT WE RECOMMEND\n\nWe recommend that the State agency implement adequate information system general controls\nover its Medicaid claims processing system. Specifically, we recommend that the State agency:\n\n    \xe2\x80\xa2   implement adequate logical access security controls to enforce the requirement that\n        passwords not be reused and use a secure method to store its encrypted network\n        passwords;\n\n    \xe2\x80\xa2   implement additional physical access security controls to restrict access to its computer\n        and telecommunications facility to only individuals who need access to the facility to\n        perform their job duties;\n\n    \xe2\x80\xa2   implement secure configuration settings for its network devices;\n\n\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)   ii\n\x0c    \xe2\x80\xa2   strengthen policies and follow existing procedures to verify data sanitization and device\n        disposal and implement policies and procedures to periodically review and account for\n        inventory of all portable devices; and\n\n    \xe2\x80\xa2   implement adequate personnel policies and procedures for general security awareness\n        training, training for employees with significant responsibilities for information security,\n        completion of exit documents for transferred and terminated employees, and background\n        checks of employees, including those hired from providers or contractors.\n\nSTATE AGENCY COMMENTS AND OUR RESPONSE\n\nIn written comments on our draft report, the State agency concurred with our finding on\ninadequate logical access controls and provided information on actions taken to address our first\nrecommendation. The State agency also concurred with our second, fourth, and fifth\nrecommendations and provided information on actions that it had taken or planned to take to\naddress our recommendations.\n\nRegarding our third recommendation, the State agency concurred that modifications may be\nnecessary for the identified weaknesses in settings for network devices and stated that changes to\nconfiguration settings were in the process of being made. However, the State agency commented\nthat some changes to these settings were not appropriate and provided one example. After\nreviewing it, we determined that one of the weaknesses was not reportable and removed it from\nthe final report. However, we did not revise the wording of our third recommendation.\n\n\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)   iii\n\x0c                                                     TABLE OF CONTENTS\n\nINTRODUCTION .......................................................................................................................1\n\n           Why We Did This Review ...............................................................................................1\n\n           Objective ..........................................................................................................................1\n\n           Background ......................................................................................................................1\n                 Federal Oversight of States\xe2\x80\x99 Automatic Data Processing Systems .....................1\n                 Idaho Medicaid Program......................................................................................1\n                 Information System General Controls ................................................................2\n\n           How We Conducted This Review....................................................................................2\n\nFINDINGS ...................................................................................................................................2\n\n           Federal Requirements ......................................................................................................3\n\n           State Agency Had Inadequate Access Controls ...............................................................3\n                  Inadequate Logical Access Security Controls .....................................................4\n                  Inadequate Physical Access Security Controls ....................................................4\n\n           State Agency Had Inadequate Configuration Management.............................................5\n                  Inadequate Settings for Network Devices............................................................5\n\n           State Agency Had Inadequate Security Management ......................................................5\n                  Inadequate Security Control Policies and Procedures .........................................6\n                  Inadequate Personnel Policies and Procedures ....................................................7\n\nRECOMMENDATIONS .............................................................................................................8\n\nSTATE AGENCY COMMENTS AND\n OFFICE OF INSPECTOR GENERAL RESPONSE ...............................................................8\n\nAPPENDIXES\n\n           A: Audit Scope and Methodology ..................................................................................9\n\n           B: Requirements Related to Information System General Controls ...............................10\n\n           C: State Agency Comments ............................................................................................12\n\n\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)                                             iv\n\x0c                                           INTRODUCTION\n\nWHY WE DID THIS REVIEW\n\nThe U.S. Department of Health and Human Services (HHS) oversees States\xe2\x80\x99 use of various\nFederal programs, including Medicaid. State agencies are required to establish appropriate\nautomatic data processing (ADP) security requirements and conduct biennial reviews of ADP\nsystem security used in the administration of State plans for Medicaid and other Federal\nentitlement benefits. This review is one of a number of HHS Office of Inspector General\nreviews of States\xe2\x80\x99 ADP systems used to administer HHS-funded programs.\n\nOBJECTIVE\n\nOur objective was to determine whether the Idaho Department of Health and Welfare (State\nagency) implemented adequate information system general controls over its Medicaid claims\nprocessing system.\n\nBACKGROUND\n\nFederal Oversight of States\xe2\x80\x99 Automatic Data Processing Systems\n\nFederal regulations require State agencies to determine appropriate ADP security requirements\nbased on recognized industry standards or standards governing security of Federal ADP systems\nand information processing (45 CFR part 95). In addition, these regulations require HHS to\nconduct periodic onsite reviews of State and local agencies to determine the adequacy of ADP\nmethods and practices and to ensure that ADP equipment and services are used for purposes\nconsistent with proper administration under the Social Security Act.\n\nIdaho Medicaid Program\n\nThe State agency administers the Medicaid program. During fiscal year 2012, the State agency\nprovided Medicaid services to over 225,000 Medicaid beneficiaries, totaling more than\n$1.6 billion in expenditures.\n\nThis review covered the State agency\xe2\x80\x99s information system general controls over its Medicaid\nclaims processing system. As part of its overall administration of the Medicaid claims\nprocessing system, the State agency contracted with Molina Medicaid Solutions (Molina) to\noperate the Medicaid Management Information System (MMIS). The MMIS processes\nMedicaid claims and manages sensitive claims data, such as beneficiary names and Social\nSecurity numbers. The State agency uses the State\xe2\x80\x99s computer and telecommunications facility\nto access the MMIS; therefore, this review focused on the security of the State agency\xe2\x80\x99s\nnetwork. We will review Molina\xe2\x80\x99s information system general controls over the MMIS in a\nseparate audit.\n\n\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)   1\n\x0cInformation System General Controls\n\nInformation system general controls include policies and procedures that apply to an entity\xe2\x80\x99s\noverall computer operations. Some primary objectives of general controls are to safeguard data,\nprotect computer application programs, prevent unauthorized access to system software, and\nensure continued operations in case of unexpected interruptions.\n\nThe Medicaid program depends on general controls, which are critical to ensuring the\nconfidentiality, integrity, and availability of critical information and information systems. In\naddition, without proper safeguards, systems are unprotected from individuals and groups with\nmalicious intent to obtain access to commit fraud, waste, or abuse or launch attacks against other\ncomputer systems and networks. 1\n\nHOW WE CONDUCTED THIS REVIEW\n\nWe reviewed the State agency\xe2\x80\x99s information system general controls over its Medicaid claims\nprocessing system. To accomplish our objective, we used appropriate procedures from the\nGovernment Accountability Office\xe2\x80\x99s Federal Information System Controls Audit Manual\n(FISCAM), which provides guidance on evaluating general controls over computer-processed\ndata from information systems. We reviewed policies and procedures, interviewed staff, and\nreviewed supporting documentation. To perform our tests, we used an audit software-scanning\nprogram and judgmentally selected two types of network devices for testing to identify security-\nrelated configuration vulnerabilities.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\nAppendix A describes our audit scope and methodology.\n\n                                                    FINDINGS\n\nThe State agency did not implement adequate information system general controls over its\nMedicaid claims processing system. Specifically, we identified 19 reportable weaknesses, which\nwe consolidated into 5 findings and grouped into the following categories: access controls,\nconfiguration management, and security management.\n\n    \xe2\x80\xa2    Access controls. The State agency had inadequate logical access security controls,\n         including inadequate password settings for securing its network and inadequate\n         encryption of network passwords. In addition, the State agency had inadequate physical\n\n\n1\n  Fraud represents intentional acts of deception with knowledge that the action or representation could result in an\ninappropriate gain. Waste includes inaccurate payments for services, such as unintentional duplicate payments.\nAbuse represents actions inconsistent with acceptable business or medical practices.\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)                 2\n\x0c        access security controls to restrict access to its computer and telecommunications facility\n        to only individuals who need access to the facility to perform their job duties.\n\n    \xe2\x80\xa2   Configuration management. The State agency had inadequate settings for network\n        devices, such as allowing the use of insecure network protocols (the language of rules\n        and conventions for communication between network devices) and the use of network\n        services (functions that help networks to operate more efficiently) that were not necessary\n        for the State agency\xe2\x80\x99s network.\n\n    \xe2\x80\xa2   Security management. The State agency had inadequate security control policies and\n        procedures, including inadequate policies to verify sanitization of data and disposal of\n        devices and no policies and procedures to periodically review and account for inventory\n        of portable devices. In addition, the State agency had inadequate personnel policies and\n        procedures related to security awareness training, training for employees with significant\n        responsibilities for information security, completion of exit documents for transferred and\n        terminated employees, and background checks of employees.\n\nWe ranked each of the findings as high impact.\n\nAlthough we did not find evidence that the weaknesses had been exploited, exploitation could\nresult in unauthorized access to and disclosure of sensitive information, as well as disruption of\ncritical operations to the Medicaid program. As a result, we believe that the weaknesses are\ncollectively and, in some cases, individually significant and could potentially compromise the\nintegrity of the Medicaid program. In addition, without proper safeguards, systems are\nunprotected from individuals and groups with malicious intent to obtain access to commit fraud,\nwaste, or abuse or launch attacks against other computer systems and networks.\n\nFEDERAL REQUIREMENTS\n\nFederal requirements from the Health Insurance Portability and Accountability Act Security Rule\nfor access management appear in 45 CFR part 164. For additional requirements, we used Office\nof Management and Budget (OMB) Circular No. A-130, Appendix III; National Institute of\nStandards and Technology (NIST) Special Publication 800-12, An Introduction to Computer\nSecurity: The NIST Handbook; NIST Special Publication 800-50, Building an Information\nTechnology Security Awareness and Training Program; and NIST Special Publication 800-53,\nSecurity and Privacy Controls for Federal Information Systems and Organizations.\n\nSee Appendix B for Federal and other requirements related to information system general\ncontrols.\n\nSTATE AGENCY HAD INADEQUATE ACCESS CONTROLS\n\nAccess controls limit or detect inappropriate access to computer resources (data, equipment, and\nfacilities), thereby protecting them from loss, disclosure, and unauthorized modification. Such\ncontrols include both logical and physical controls:\n\n\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)   3\n\x0c    \xe2\x80\xa2   Logical access controls require users to authenticate themselves (by using passwords or\n        other identifiers) and limit the files and other resources that authenticated users can\n        access and the actions that they can execute.\n\n    \xe2\x80\xa2   Physical access controls restrict physical access to computer resources and protect them\n        from intentional or unintentional loss or impairment.\n\nIn assessing the State agency\xe2\x80\x99s access controls, we identified weaknesses in its logical and\nphysical access security controls. Inadequate access controls diminish the reliability of\ncomputerized information and increase the risk of unauthorized disclosure, modification, and\ndestruction of sensitive information and disruption of service.\n\nInadequate Logical Access Security Controls\n\nThe State agency had not implemented adequate logical access security controls. Specifically,\nwe noted the following:\n\n    \xe2\x80\xa2   The State agency had an inadequate password setting for securing its network. Although\n        the State agency\xe2\x80\x99s password history policy prohibited password reuse, the State agency\n        did not enforce this requirement on its network password setting. 2\n\n    \xe2\x80\xa2   The State agency did not store its encrypted passwords on its network server using a\n        secure method.\n\nState agency officials said that their password history setting would be changed to prohibit\npassword reuse and they planned to use a secure method to store encrypted network passwords.\n\nWithout strong logical access security controls, there is an increased risk of unauthorized access\nto sensitive computer systems and data.\n\nInadequate Physical Access Security Controls\n\nThe State agency had not implemented adequate physical access security controls to restrict\naccess to its computer and telecommunications facility, which contained equipment that\nconnected to the MMIS. Specifically, we noted that more than 60 individuals, including the\nGovernor, law enforcement, and the fire department, had access to the facility but did not need\naccess to perform their job duties.\n\nA State agency official agreed that too many individuals had access to the computer and\ntelecommunications facility and stated that he believed that State law required certain\nindividuals, such as the Governor, law enforcement, and the fire department, to have access. We\nasked the official to provide us with the law that required those individuals to have access. The\nofficial stated that he asked two other State officials and neither could find such a law.\n\n2\n Password history determines the number of unique new passwords that have to be associated with a user account\nbefore an old password can be reused.\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)           4\n\x0cIf access to the computer and telecommunications facility is not restricted to individuals who\nneed access to perform their job duties, there is an increased risk that computer resources and\nsensitive information, such as electronic protected health information (ePHI), may not be\nprotected from intentional or unintentional loss or damage.\n\nSTATE AGENCY HAD INADEQUATE CONFIGURATION MANAGEMENT\n\nConfiguration management provides reasonable assurance that (1) changes to information system\nresources, such as the settings of devices on the network, 3 are authorized and (2) systems are\nconfigured and operated securely and as intended. Configuration management policies and\nprocedures should be developed, documented, and implemented at the entitywide, system\n(hardware), and application (software) levels to ensure the security of the system.\n\nInadequate Settings for Network Devices\n\nThe State agency did not adequately configure the security of its network devices. We\njudgmentally selected two types of network devices (one router and two switches) for testing and\nused an audit software-scanning program that queries and extracts information from the devices\nto identify potential security-related configuration vulnerabilities. We identified a total of\n10 weaknesses in this area: 5 related to a router, 3 related to a switch, and 2 related to both.\nFor example, the State agency allowed the use of insecure network protocols 4 to manage network\ndevices. In addition, the State agency did not restrict services on network devices, such as\nMaintenance Operations Protocol used to connect to remote systems, which were not necessary\nfor the State agency\xe2\x80\x99s network. Manufacturers configure devices with default settings that are\nnot needed for every network.\n\nState agency officials said that the devices had been configured a long time ago and had not been\nupdated.\n\nBecause the State agency\xe2\x80\x99s network devices are integral to ensuring the security of the claims\nprocessing system, failure to adequately secure the devices exposes the network and its resources\nto attacks on the confidentiality, integrity, and availability of sensitive information, such as ePHI.\nSuch information includes names, addresses, birth dates, Social Security numbers, and medical\ninformation.\n\nSTATE AGENCY HAD INADEQUATE SECURITY MANAGEMENT\n\nAn entitywide program for security planning and management is the foundation of an entity\xe2\x80\x99s\nsecurity control structure and a reflection on senior management\xe2\x80\x99s commitment to addressing\nsecurity risks.\n\n\n\n3\n  Devices used to secure networks include (1) routers that filter and forward data along the network and (2) switches\nthat forward information among segments of a network.\n4\n    Network protocols define a language of rules and conventions for communication between network devices.\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)              5\n\x0cIn assessing the State agency\xe2\x80\x99s entitywide security program, we identified weaknesses in the\nfollowing critical elements: (1) documenting and implementing security control policies and\nprocedures and (2) implementing effective security awareness and other security-related\npersonnel policies and procedures. Weaknesses in these elements increase the risk of\nunauthorized use, disclosure, modification, or loss of sensitive information and information\nsystems supporting the agency\xe2\x80\x99s mission.\n\nInadequate Security Control Policies and Procedures\n\nThe State agency had not implemented adequate security control policies and procedures.\nSpecifically, we noted the following:\n\n       \xe2\x80\xa2   The State agency did not have adequate policies to verify sanitization of data 5 and\n           disposal of devices, such as hard drives. Also, the State agency did not follow its\n           procedures to:\n               o document that data could not be recovered from sanitized devices,\n               o identify the method used to remove data from discarded devices,\n               o obtain the name and signature of the supervisor responsible for data sanitization,\n                  and\n               o identify the disposal method for devices.\n\n       \xe2\x80\xa2   The State agency did not have specific inventory policies and procedures for portable\n           devices, such as laptop computers and Universal Serial Bus storage devices, and did not\n           account for these devices.\n\nState agency officials stated that they were in the process of approving a policy to verify that\ndata could not be recovered from sanitized equipment and discarded devices. State agency\nofficials were not aware that the contractor was not following procedures to sanitize State data\non devices and to dispose of devices.\n\nState agency officials stated that there were general inventory policies and procedures for items\ncosting more than $2,000. However, State agency officials had not yet developed and\nimplemented standard agencywide policies and procedures to inventory portable devices costing\nless than $2,000.\n\nWithout adequate policies and procedures for verifying data sanitization and device disposal, the\nState agency cannot ensure that State data are properly sanitized and devices are properly\ndisposed of.\n\nWithout adequate inventory controls for all portable devices, the State agency is at risk of a data\nbreach. Portable devices costing as little as $50 could contain ePHI and be easily lost or stolen,\nmaking the State potentially liable for millions of dollars because of a data breach. 6\n\n5\n    Sanitization is the process of deliberately and irreversibly removing or destroying data on a device.\n6\n The Ponemon Institute\xe2\x80\x99s report entitled 2013 Cost of Data Breach Study: United States indicated that the average\ncost of a data breach for an organization in 2012 was $5.4 million.\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)              6\n\x0cInadequate Personnel Policies and Procedures\n\nThe State agency had not implemented adequate personnel policies and procedures. Specifically,\nwe noted the following:\n\n    \xe2\x80\xa2   The State agency did not provide periodic refresher training on general security\n        awareness to employees with access to the MMIS. The State agency provided security\n        awareness training only to new employees.\n\n    \xe2\x80\xa2   The State agency did not have policies to ensure that all employees with significant\n        responsibilities for information security obtain training in their security responsibilities.\n        We judgmentally selected five employees and found that while all five had received\n        training within the last year, one of those five had not received any training in the prior\n        20 years.\n\n    \xe2\x80\xa2   The State agency did not have policies to ensure that exit documents were completed for\n        all transferred and terminated employees. We judgmentally selected five terminated\n        employees and found that the State agency did not have exit documents for three of them.\n        Exit documents show the steps to be completed when an employee is transferred or\n        terminated, including collecting keys and electronic keycards and notifying network\n        administrators to remove the employee\xe2\x80\x99s network access.\n\n    \xe2\x80\xa2   The State agency did not have adequate policies for background checks of employees\n        who had access to ePHI. We judgmentally selected 10 employees who had access to\n        ePHI and found that the State agency did not perform background checks for\n        3 employees and did not have adequate documentation for 1 employee.\n\nState agency officials stated that they were not aware that periodic refresher training on general\nsecurity awareness was required. Although State agency officials stated that employees with\nsignificant responsibilities received training, there were no policies requiring it. State agency\nofficials stated that individual units within the State agency did not always document completion\nof termination procedures.\n\nState agency officials stated that they recruited individuals from providers and contractors that\nhad worked with the State agency. Because the officials were already familiar with these\nindividuals, they did not perform background checks.\n\nWithout adequate policies and procedures on training, there is an increased risk that employees\nwith access to the MMIS may not be appropriately trained to fulfill their security responsibilities.\nIn addition, employees with significant responsibilities for information security may not be able\nto remain up to date with the latest information and tools to help protect sensitive information.\n\nWithout adequate policies and procedures on completion of exit documents, the State agency\nruns the risk of failing to remove transferred and terminated employees\xe2\x80\x99 physical and logical\naccess, which could result in unauthorized access to ePHI, compromising of data, or sabotaging\nof information systems.\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)   7\n\x0cWithout adequate policies and procedures on performing background checks of employees,\nincluding individuals whom an organization is already familiar with, an organization runs the\nrisk of hiring unqualified or untrustworthy individuals. In addition, background checks help\ndetermine whether an individual is suitable for a given position.\n\n                                       RECOMMENDATIONS\n\nWe recommend that the State agency:\n\n    \xe2\x80\xa2   implement adequate logical access security controls to enforce the requirement that\n        passwords not be reused and use a secure method to store its encrypted network\n        passwords;\n\n    \xe2\x80\xa2   implement additional physical access security controls to restrict access to its computer\n        and telecommunications facility to only individuals who need access to the facility to\n        perform their job duties;\n\n    \xe2\x80\xa2   implement secure configuration settings for its network devices;\n\n    \xe2\x80\xa2   strengthen policies and follow existing procedures to verify data sanitization and device\n        disposal and implement policies and procedures to periodically review and account for\n        inventory of all portable devices; and\n\n    \xe2\x80\xa2   implement adequate personnel policies and procedures for general security awareness\n        training, training for employees with significant responsibilities for information security,\n        completion of exit documents for transferred and terminated employees, and background\n        checks of employees, including those hired from providers or contractors.\n\n                            STATE AGENCY COMMENTS AND\n                       OFFICE OF INSPECTOR GENERAL RESPONSE\n\nIn written comments on our draft report, the State agency concurred with our finding on\ninadequate logical access controls and provided information on actions taken to address our first\nrecommendation. The State agency also concurred with our second, fourth, and fifth\nrecommendations and provided information on actions that it had taken or planned to take to\naddress our recommendations.\n\nRegarding our third recommendation, the State agency concurred that modifications may be\nnecessary for the identified weaknesses in settings for network devices and stated that changes to\nconfiguration settings were in the process of being made. However, the State agency commented\nthat some changes to these settings were not appropriate and provided one example. After\nreviewing it, we determined that one of the weaknesses was not reportable and removed it from\nthe final report. However, we did not revise the wording of our third recommendation.\n\nThe State agency\xe2\x80\x99s comments are included as Appendix C. We redacted information that we\nconsidered to be sensitive.\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)   8\n\x0c                   APPENDIX A: AUDIT SCOPE AND METHODOLOGY\n\nSCOPE\n\nWe reviewed the State agency\xe2\x80\x99s information system general controls over its Medicaid claims\nprocessing system. We did not perform penetration testing or review the State agency\xe2\x80\x99s overall\ninternal control structure.\n\nWe conducted our audit from September 2012 to January 2013. We performed our fieldwork at\nthe State agency\xe2\x80\x99s office in Boise, Idaho.\n\nMETHODOLOGY\n\nTo accomplish our objective, we used appropriate procedures from FISCAM, which provides\nguidance on evaluating general controls over computer-processed data from information\nsystems. We reviewed policies and procedures, interviewed staff, and reviewed supporting\ndocumentation. To perform our tests, we used an audit software-scanning program and\njudgmentally selected two types of network devices for testing to identify security-related\nconfiguration vulnerabilities.\n\nTo determine the potential impact of each finding, we used information described in Federal\nInformation Processing Standards Publication 199, which defines the following three levels of\npotential impact should there be a breach of security (i.e., a loss of confidentiality, integrity, or\navailability):\n\n    \xe2\x80\xa2   low if the loss of confidentiality, integrity, or availability could be expected to have a\n        limited adverse effect on organizational operations, organizational assets, or individuals;\n\n    \xe2\x80\xa2   moderate if the loss of confidentiality, integrity, or availability could be expected to have\n        a serious adverse effect on organizational operations, organizational assets, or\n        individuals; and\n\n    \xe2\x80\xa2   high if the loss of confidentiality, integrity, or availability could be expected to have a\n        severe or catastrophic adverse effect on organizational operations, organizational assets,\n        or individuals.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\n\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)   9\n\x0c                       APPENDIX B: REQUIREMENTS RELATED TO\n                      INFORMATION SYSTEM GENERAL CONTROLS\n\nGENERAL FEDERAL REQUIREMENTS\n\nFederal regulations (45 CFR part 95) require State agencies to determine appropriate ADP\nsecurity requirements based on recognized industry standards or standards governing security of\nFederal ADP systems and information processing. In addition, these regulations require HHS to\nconduct periodic onsite reviews of State and local agencies to determine the adequacy of ADP\nmethods and practices and to ensure that ADP equipment and services are used for purposes\nconsistent with proper administration under the Social Security Act.\n\nFederal requirements from the Health Insurance Portability and Accountability Act Security Rule\nfor access management appear in 45 CFR part 164.\n\nACCESS CONTROLS\n\nMicrosoft policies and procedures, as contained in the Windows XP Security Guide, provide\nrecommendations for passwords.\n\nThe State agency\xe2\x80\x99s password policy, Policy Memorandum No. 05-06, section 4.2, states that\npasswords are not to be reused.\n\nFederal regulations state that a covered entity must implement procedures to control and validate\na person\xe2\x80\x99s access to facilities based on their role or function (45 CFR \xc2\xa7 164.310(a)(2)(iii)).\n\nCONFIGURATION MANAGEMENT\n\nFederal regulations state that covered entities must \xe2\x80\x9c[i]mplement technical security measures to\nguard against unauthorized access to electronic protected health information that is being\ntransmitted over an electronic communications network\xe2\x80\x9d (45 CFR \xc2\xa7 164.312(e)(1)) and also\nmust \xe2\x80\x9c[i]mplement a mechanism to encrypt electronic protected health information whenever\ndeemed appropriate\xe2\x80\x9d (45 CFR \xc2\xa7 164.312(e)(2)(ii)).\n\nSECURITY MANAGEMENT\n\nNIST Special Publication 800-53, Security and Privacy Controls for Federal Information\nSystems and Organizations, section MP-6, states that the organization must track, document, and\nverify media sanitization and disposal actions.\n\nFederal regulations state that a covered entity must \xe2\x80\x9c[i]mplement policies and procedures that\ngovern the receipt and removal of hardware and electronic media that contain electronic\nprotected health information into and out of a facility, and the movement of these items within\nthe facility\xe2\x80\x9d (45 CFR \xc2\xa7 164.310(d)(1)).\n\n\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)   10\n\x0cNIST Special Publication 800-53, Appendix F, section CM-8, recommends that the organization\ndevelop, document, and maintain an inventory of information system components that includes\ninformation deemed necessary to achieve effective property accountability. In addition, section\nCM-8 states that information necessary to achieve property accountability can include hardware\ninventory specifications, such as manufacturer, model, serial number, and component owner.\n\nOMB Circular No. A-130, Appendix III, section A.3.a.2.b, indicates that individuals are to be\nappropriately trained in how to fulfill their security responsibilities before allowing them access\nto the system, and periodic refresher training is required for continued access to the system.\n\nNIST Special Publication 800-50, Building an Information Technology Security Awareness and\nTraining Program, section 1.5.2, states that chief information officers should work with the\nagency information-technology (IT) security program manager to ensure that agency personnel\nwith significant security responsibilities obtain sufficient training in their security\nresponsibilities. Section 1.5 explains that one way to help ensure that an IT security program\nmatures is to develop and document in policy the training responsibilities for those key positions\non which the success of the program depends.\n\nNIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook,\nsection 10.2.5.1, states that, because terminations can be expected regularly, a standard set of\nprocedures for outgoing or transferred employees should be put in place. These procedures are\npart of the standard employee separation process that is in place to ensure that system accounts\nare removed in a timely manner. The separation process also includes the control of keys; the\nbriefing on the responsibilities for confidentiality and privacy; and several other functions not\nnecessarily related to information security, such as the return of property.\n\nOMB Circular No. A-130, Appendix III, section A.3.a.2.c, indicates that background check\nscreening must occur before an individual is authorized to bypass significant technical and\noperational security controls and periodically thereafter.\n\n\n\n\nIdaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)   11\n\x0c                                   APPENDIX C: STATE AGENCY COMMENTS \n\n\n\n\n\n                                                 I 0 A H 0               DEPARTMENT                                            OF\n\n                                                 HEALTH & WELFARE\n                C.L."BUTCtf OTTER- Governor                                                               PAIJI.J.LEARY - \xc2\xad\n                RICHARD M. ARMSTRONG - Diredor                                                                 DIVISION~ MEDICAl>\n                                                                                                                 PostOllite Elox 831\'20\n                                                                                                               Bolse, ldaflo 8312().(0)9\n                                                                                                               PHONE: (208) 334-5747\n                                                                                                                   FAX: (208) 364-1811\n\n\n\n            D ecember 12,2013\n\n            Ms. Lori A. Ah lstrand\n            Regional Inspector General\n            Office of Audit Services, Region IX\n            Department of Health and Human Services\n            90 - i 11 Street, Ste 3-650\n            San Francisco, CA 94103\n\n            RE: Report Number A-90-12-03009\n\n            Dear Ms. Ahlstrand:\n\n            In response to the draft findings detai led in Report Number A-09-12-03009, please find the\n            Department\'s responses below.\n\n            OIG Finding: Inadequate Logical Access Security Controls- The State agency had an\n            inadequate password setting for securing its network. Although the State agency\'s password\n            history policy prohibited password reuse, the State agency did not enforce this requirement on its\n            network password setting.\n\n            OIG Recommendation: Iinplement adequate logical access security controls to enforce the\n            requirement that passwords not be reused and use a secure method to store its encrypted network\n            passwords.\n\n            State Response: We concur with the finding and have implemented the OIG\'s recommendations\n            regarding enforcement of password history, minimum and maximum age, length and complexity\n            requirements.\n\n            OIG Finding: Inadequate Logical Access Security Controls- The State agency did not store its\n            encrypted passwords on its network server using a secure method.\n\n            OIG Recommendation: Use a secure method to store its encrypted network passwords.\n\n\n\n\n            7\n                Office ofInspector General Note- The deleted text has been redacted because it is sensitive information.\n\n\n\n\nIdaho\'s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)                                     12\n\x0c             Lori A . Ahlstrand\n             December 12,2013\n             Page 2 of4\n\n             OIG Finding: Inadequate Physical Access Security Controls-                          The State agency had not\n             implemented adequate physical access security contro ls to restrict                 access to its computer and\n             telecommunications facility, which contained equipment that                         connected to the MMIS.\n             Specifically, we noted that more than 60 individuals, including the                 Govemor, law enforcem ent,\n             and the fire depa11m ent, had access to the faci lity but did not need              access to perform their job\n             duties.\n\n             OIG Recommendation: Implement additional physical access security controls to restrict access\n             to its computer and telecommunications facility to only ind ividuals who need access to the\n             facility to perform their job duties.\n\n             State Response: We concur with this specific recommendation. The Department is in the\n             process of working with our building security team to restrict access to the computer and\n             telecommunications facility to individuals w ho need access to perfmm their job duties.\n\n             OIG Finding: Inadequate Settings for Network Devices- We identified a total of 11\n             weaknesses in this a rea: related to a router, 4 related to a switch, and 2 related to both. For\n             example, the State agency allowed the use of insecure network protocols to manage network\n             devices. In addition, the State agency did not restrict services on network devices, such as\n             Maintenance Operations Protocol used to connect to remote systems, which were not necessary\n             for the State agency\'s network. Manufacturers configme devices wit h default settings that are\n             not needed for every network.\n\n             OIG Recommendation: Implement secure configuration settings for its network c\\evices.\n\n            State Response: We concur that modifications may be necessary for the ide ntified weaknesses.\n            Changes to configuration settings that do not disrupt MMIS business processes are in the process\n            of being made. To date, our a                         that\n                         For\n\n\n            OIG Finding: Inadequate Security Control Policies and Procedures- The State agency did not\n            have adequate policies to verify sanitization of data and disposal of devices, such as hard drives.\n            Also, the State agency d id not follow its procedures to:\n               o \t document that data could not be recovered from sanitized devices,\n               o \t identify the m ethod used to remove data from discarded devices,\n               o \t obtain the name and signature of the super visor responsible for data sanitization, and\n                    identify the disposal method for devices.\n\n            OIG Recomm endation: Strengthen policies and follow existing procedures to verify data\n            sanitization and device disposal.\n\n            State Response: We concur with this specific recommendation. ITSD will update Policy- 300\xc2\xad\n            34 Digital Media Sanitization Policy, to add the requested clarification. Procedures wi ll be\n            created to supp011 the updated policy.\n\n\n\n            8\n                Office ofInspector General Note- The deleted text has been redacted because it is sensitive information.\n\n\n\n\nIdaho\'s Information System General Controls Over Its Medicaid Claims Processing System (A-09-12-03009)                         13\n\x0c            Lori A. Ahlstrand\n            Decem her 12, 2013\n            Page 3 of4\n\n\n            OJG Finding: Inadequate Security Control Policies and Procedures- The State agency did not\n            have specific inventory policies and procedures for portable devices, such as laptop computers\n            and USB storage devices, and did not account tor these devices.\n\n            OIG Recommendation: Implement policies and procedures to periodically review and account\n            for inventory ofall portable devices.\n\n            State Response: We concur with this specific recommendation. TT will create a policy and\n            supporting procedures to account for and review the inventory of pottable devices.\n\n            OIG Finding: Inadequate Personnel Policies and Procedures- The State agency did not\n            provide periodic refresher training on general security awareness to employees with access to the\n            MMIS. The State agency provided security awareness tl-aining only to new employees.\n\n            OIG Recommendation: Implement adequate personnel policies and procedures for general\n            security awareness training.\n\n            State Response: We concur with this specific recommendation. IT wiU research available\n            training to support this requirement and implement initial and periodic training.\n\n            OIG Finding: Inadequate Personnel Policies and Procedures- The State agency did not have\n            policies to ensure that all employees with significant responsibilities for infotmation security\n            obtain tTaining in their security responsibilities. We judgmentally selected five employees and\n            fOLllld that while all five had received training within the last year, one of those five had not\n            recei ved any training in the prior 20 years.\n\n            OIG Recommendation: Implement adequate personnel policies and procedures for training for\n            employees with significant responsibilities for information security.\n\n            State Response: We concur with this specific recommendation. IT, for the depa11ment will\n            research available training to support this requirement.\n\n            OIG Finding: Inadequate Personnel Policies and Procedures- The State agency did not have\n            policies to ensure that exit documents were completed for all transferred and terminated\n            employees. We judgmentally selected five tem1inated employees and found that the State agency\n            did not have exit documents for three of them. Exit documents show the steps to be completed\n            when. an employee is transferred or terminated, including collecting keys and electronic keycards\n            and notifying network administrators to remove the employee\'s network access.\n\n            OIG Recommendation: Implement adequate personnel policies and procedures for transferred\n            and terminated employees.\n\n\n\n\nIdaho\'s Information System General Controls Over Its .Medicaid Claims Processing System (A-09-12-03009)         14\n\x0c             Lori A. Ahlstrand\n             December 12, 2013\n             Page 4 of4\n\n             State Response: We concur with the finding and are in the process of formalizing and\n             implementing expanded policies and procedures to ensure exit documents are completed fo r all\n             transferred and terminated employees as recommended.\n\n             OIG Finding: Inadequate Personnel Policies and Procedures- The State agency did not have\n             adequate policies for background checks of employees who had access to ePHI. We\n             judgmentally selected 10 employees who had access to ePHI and found that the State agency did\n             not perform background checks for 3 employees and did not have adequate documentation for 1\n             employee.\n\n             OIG Recommendation: Implement adequate personnel policies and procedures for background\n             checks ofemployees, including those hired from providers or contractors.\n\n             State Response: We concur with the recommendation. The Depmtment has existing policies and\n             procedures addressing background checks in its HR Policy and Procedures Man ual , Section 11B2.\n             The Department will implement additional internal checks to ensure compliance with the policy\n             and OIG\'s recommendations.\n\n             If you have any questions regm\xc2\xb7ding the Depa1tment\'s responses to these findings, please contact\n             Lisa Hettinger, Chief, Bureau of Financial Operations at (208) 287-1141.\n\n\n\n\n             PJL/ksl\n\n\n\n\nIdaho \'s Information System General Controls Over Its Medicaid Claims Processing System (A-09- 12-03009)        15\n\x0c'